b889599d491f54d24c69df41e08475343b63b862c244ef3e251ff75803516068

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25/08/2023, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Size

327KB
MD5

997f39e96ad37cba3e4261b750ae1dd8
SHA1

b7364983c6cff0f64e408d3f41cd0338ac9c5035
SHA256

b889599d491f54d24c69df41e08475343b63b862c244ef3e251ff75803516068
SHA512

67f4d824d971efe8bbcd6c8a4ab1ff6d549422b5dc5125a05680f907591b313f6891846268489417319a5b033cccba54509c11952347c1a288ecbf1f18b02218
SSDEEP

6144:c2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:c2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2936	winit32.exe
2040	winit32.exe

Loads dropped DLL 3 IoCs

pid	Process
1244	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
1244	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
1244	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe\shell\runas\command	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver\shell	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver\shell\open	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe\DefaultIcon	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe\DefaultIcon\ = "%1"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver\Content-Type = "application/x-msdownload"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver\shell\open\command	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\winit32.exe\" /START \"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver\ = "Application"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver\DefaultIcon\ = "%1"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver\shell\runas\command\ = "\"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe\shell\open	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\winit32.exe\" /START \"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver\shell\runas	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe\shell\open\command	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe\shell	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe\shell\runas	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe\ = "ntdriver"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver\DefaultIcon	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\ntdriver\shell\runas\command	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2936	winit32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2936	1244	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe	28
PID 1244 wrote to memory of 2936	1244	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe	28
PID 1244 wrote to memory of 2936	1244	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe	28
PID 1244 wrote to memory of 2936	1244	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe	28
PID 2936 wrote to memory of 2040	2936	winit32.exe	29
PID 2936 wrote to memory of 2040	2936	winit32.exe	29
PID 2936 wrote to memory of 2040	2936	winit32.exe	29
PID 2936 wrote to memory of 2040	2936	winit32.exe	29

C:\Users\Admin\AppData\Local\Temp\997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
"C:\Users\Admin\AppData\Local\Temp\997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe"
    3⤵
    - Executes dropped EXE
    PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe

Filesize
327KB

MD5
8defb087961484438d7cfc40d86703e5

SHA1
898ef1a660bcc5ec0e2102f008e0978ac6677b65

SHA256
e9469cb667b6c4ac0efdc9019949492be143a5a705b22ed81925efaf1df51367

SHA512
da22d66ccba7dae0ea551c81ebc4e1ebaaeb0590ebe936ca4ecb9746361ae83f5ec7135222ec94079ec7d3d246359c41d9040a229e1151373043a43c86ea8971

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe

Filesize
327KB

MD5
8defb087961484438d7cfc40d86703e5

SHA1
898ef1a660bcc5ec0e2102f008e0978ac6677b65

SHA256
e9469cb667b6c4ac0efdc9019949492be143a5a705b22ed81925efaf1df51367

SHA512
da22d66ccba7dae0ea551c81ebc4e1ebaaeb0590ebe936ca4ecb9746361ae83f5ec7135222ec94079ec7d3d246359c41d9040a229e1151373043a43c86ea8971

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe

Filesize
327KB

MD5
8defb087961484438d7cfc40d86703e5

SHA1
898ef1a660bcc5ec0e2102f008e0978ac6677b65

SHA256
e9469cb667b6c4ac0efdc9019949492be143a5a705b22ed81925efaf1df51367

SHA512
da22d66ccba7dae0ea551c81ebc4e1ebaaeb0590ebe936ca4ecb9746361ae83f5ec7135222ec94079ec7d3d246359c41d9040a229e1151373043a43c86ea8971

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe

Filesize
327KB

MD5
8defb087961484438d7cfc40d86703e5

SHA1
898ef1a660bcc5ec0e2102f008e0978ac6677b65

SHA256
e9469cb667b6c4ac0efdc9019949492be143a5a705b22ed81925efaf1df51367

SHA512
da22d66ccba7dae0ea551c81ebc4e1ebaaeb0590ebe936ca4ecb9746361ae83f5ec7135222ec94079ec7d3d246359c41d9040a229e1151373043a43c86ea8971

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe

Filesize
327KB

MD5
8defb087961484438d7cfc40d86703e5

SHA1
898ef1a660bcc5ec0e2102f008e0978ac6677b65

SHA256
e9469cb667b6c4ac0efdc9019949492be143a5a705b22ed81925efaf1df51367

SHA512
da22d66ccba7dae0ea551c81ebc4e1ebaaeb0590ebe936ca4ecb9746361ae83f5ec7135222ec94079ec7d3d246359c41d9040a229e1151373043a43c86ea8971

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe

Filesize
327KB

MD5
8defb087961484438d7cfc40d86703e5

SHA1
898ef1a660bcc5ec0e2102f008e0978ac6677b65

SHA256
e9469cb667b6c4ac0efdc9019949492be143a5a705b22ed81925efaf1df51367

SHA512
da22d66ccba7dae0ea551c81ebc4e1ebaaeb0590ebe936ca4ecb9746361ae83f5ec7135222ec94079ec7d3d246359c41d9040a229e1151373043a43c86ea8971

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe

Filesize
327KB

MD5
8defb087961484438d7cfc40d86703e5

SHA1
898ef1a660bcc5ec0e2102f008e0978ac6677b65

SHA256
e9469cb667b6c4ac0efdc9019949492be143a5a705b22ed81925efaf1df51367

SHA512
da22d66ccba7dae0ea551c81ebc4e1ebaaeb0590ebe936ca4ecb9746361ae83f5ec7135222ec94079ec7d3d246359c41d9040a229e1151373043a43c86ea8971

Download Submit